The head of the SEC's Office of Compliance Inspections and Examinations, Carlo di Florio, recently spoke about what his 900 professionals look for in conducting examinations of a wide range of financial institutions – noting the OCIE is breaking new ground. In carrying out its mission to improve compliance, prevent fraud, monitor risk, and inform policy, di Florio's office is expanding its focus to include boards of directors. In considering a firm's compliance culture, the OCIE is entering into direct discussions with boards of directors, to get a sense of the board's as well as senior management's attention to and focus on regulatory compliance issues. di Florio didn't name names, but media reports say such discussions already have taken place with the likes of Goldman, Morgan Stanley, Barclays and Wells Fargo. He did say that the new focus is due in part to the fact that a firm's compliance culture is an "elusive concept and a real challenge," having a huge impact on the extent to which a firm engages in ethical conduct, also noting the need to integrate compliance within risk governance processes.

If you've encountered Carlo di Florio, you may have observed a soft spoken, gentle demeanor and charming personality. But that shouldn't be misinterpreted for anything less than a hard-nosed and rigorous approach on the part of him and his staff. Having worked with him in our “past life,” I can assure you that he is not only thoughtful and creative in approach, he can be relentless in pursuing objectives.

OCIE's approach is multifold, focusing first on review of a firm's polices and related procedures, including policy management and flexibility in dealing with evolving conditions. There's focus on effectiveness of communication and training, and on such matters as how a firm assigns responsibility and handles accountability. Also in its sights are monitoring and testing processes, protocols for communicating issues upstream, and internal whistleblower processes. di Florio notes that the better the internal processes, the less OCIE will need to do. Highlighting its insightfulness, OCIE looks at such critical matters as where the power lies – the business side or legal/compliance – how bonus pools are allocated, independence of compliance staff, and involvement in critical decision-making. Also, the extent of compliance contributions of business units in performance assessment and reward processes are considered.

With all this, the focus on board of directors is consistent with attention to the tone at the top of a firm. Carlo di Florio is moving the lines, and I've no doubt he and his staff will have a sharper focus on and greater insight into what drives compliance.

Visionis IBM’s global conference for finance and risk professionals to help improve planning, budgeting and forecasting, identify and mitigate risk, and meet the demanding requirements of XBRL, IFRS, Basel II and Solvency II with greater confidence.

I talked to Mauboussin about his book, making data-driven decisions, some common pitfalls as decision makers, and his upcoming talk at Vision.

“What's very exciting is that in the last half dozen years, we've had a real influx of data, and we're now just learning how to tap that data for the benefit of better decision making,” said Mauboussin. “Now we can create a better intersection between value creation and making decisions.”

The problem however, according to Mauboussin, is that we still have the same cognitive makeup and the propensity to make common mistakes.

“We often think about our own decision making as being objective and fact based and rationale. And we tend to underestimate systematically how important the social context is for our decision making,” said Mauboussin.

To illustrate this point he told an interesting story from his book.

Researchers went into the wine section of a supermarket and set up French and German wines next to each other that were roughly matched in price and quality. Over a two week period they alternated playing distinctively French and distinctively German music to see if it would have any influence on purchase decisions.

Surprisingly, they found when French music played people bought French wine 77 percent of the time, and German wine 73 percent of the time when German music played. When asked if music affected their selections, the consumers unanimously said no.

“This basic experiment can be extrapolated to a lot of organizational settings where we think of ourselves as trying to be conscious and mindful as we make decisions. But indeed what is going on around us can be deeply influential to our decisions,” said Mauboussin.

So what do we do?

According to Mauboussin, integrate more data into quality decisions. However, there is still a tension between the intuitive, go by the seat of the pants experience group versus the analytically-minded group.

“Either extreme is not going to work but a blend between the two is right way,” said Mauboussin.

Read the rest of the interview with Michael Mauboussin on the Business Analytics Blog here.

This is the last in a series of four blog posts where we will present risk and compliance speaker and thought leader, Michael Rasmussen's, GRC maturity model. For more insightful information on GRC and to exchange ideas with risk and finance colleagues, come see us in Orlando at Vision 2012.

Getting to the Head of the Class: Advancing Your Organizations GRC Maturity

Organizations with GRC processes siloed within departments operate at the Unaware, Fragmented, or Integrated stage. At these stages GRC may be effective within a silo, but lacks an enterprise perspective of risk and compliance and gains no efficiencies from shared processes. Different departments may be at different levels of maturity.

The Aligned and Optimized maturity levels represent maturity of organizations with an enterprise GRC strategy, focused on developing a common GRC process, information and technology architecture. These organizations report process efficiencies reducing human and financial capital requirements, greater agility to understand and report on risk and compliance in a dynamic business environment, and greater effectiveness through the ability to report and analyze risk and compliance data from across the business. The primary difference between the Aligned and Optimized stage is the integration of GRC in the context of business performance, strategy and objective management. Organizations on this journey are successful when they have top-down support from executive management, and when various risk and compliance functions cooperate with the strategy to collaborate and share information and processes.

Considerations for Moving From Fragmented to Integrated

Departments at the Fragmented stage have siloed approaches to risk and compliance at the department level. This means no integration or sharing of risk and compliance information, processes or technology.

Considerations for Moving From Integrated to Aligned

Departments at the Integrated maturity stage are in a good place to lead the organization in an integrated GRC strategy to the Aligned stage. They have a strategic approach to GRC at the department level, supported by mature GRC processes that can be extended to other departments. These organizations have a shared-services approach to GRC to deliver common processes and integrated information.

To move from the Integrated to the Aligned stage requires a common risk catalog that shows the relationship of risks across the business and risk ownership. The purpose is to enable the business to make risk-informed decisions. Organizations should leverage risk insight to improve planning and strategic decisions. A common governance model for GRC is used across lines of business, functions and processes. The organization needs a common GRC methodology and taxonomy in place, supported by shared services. GRC architecture must be extensible and configurable with strong business intelligence capabilities. Organizations at this level report process efficiencies reducing human and financial capital requirements, greater agility to understand and report on risk and compliance in a dynamic business environment, and greater effectiveness through the ability to report and analyze risk and compliance data from across the business.

Considerations for Moving From Aligned to Optimized

To difference between the Aligned to Optimized stage is primarily one of context. At the Aligned stage the organization provides a consistent approach to managing GRC across the business. This is supported by an established GRC process, information and technology architecture. While GRC is understood in the context of the business it is still focused more on risk and compliance than performance and strategy. At the Optimized stage, the organization has performance, strategy and objectives setting the context.

Achieving the Optimized stage requires GRC expectations set as part of the annual strategic planning processes. The organization has extensive measurement and monitoring of GRC in the context of business strategy, performance and objectives. There is shared information and technology between risk, control and compliance management as well as decision support, optimization and business intelligence. The organization has integrated risk and finance data to drive performance and maximize value creation.

Fundamental Steps to Establishing Your GRC Strategy

To achieve the benefits other organizations have seen from a GRC strategic plan and common approach, Corporate Integrity recommends the following next steps:

Gain executive support and sponsorship of the GRC strategy: The organization needs to work in harmony on GRC. Different groups doing their own thing handicap the business. Executive support is the key to ensure that risk and compliance silos work together.

Establish a dedicated cross-functional team focused on a common GRC approach: Due to the complexity of business, it is necessary to dedicate a cross-functional team to oversee ongoing harmonization of GRC processes, integration of GRC information, continued collaboration across risk and compliance functions, and ongoing execution of the GRC strategic plan. This group identifies strengths within existing functions and enables other areas to benefit from them. The goal of this team is to develop shared framework, processes and information.

Define an enterprise risk framework and catalog: Companies must document and prioritize enterprise risks in a structured taxonomy. This includes defining who owns the risk, the subject matter expert for the risk and which function or process monitors the risk. Policies, controls and events must be mapped back to the enterprise risk framework.

Develop harmonized processes: Key to success is identification of shared processes and information for GRC across the enterprise. This includes identifying technology solutions to support integrated information and process architecture.

Focus on quick wins: The company must develop GRC project timelines focused on quick wins, where economies can be gained quickly and the value of GRC proven. From there, the company can move on to more detailed issues that can achieve significant efficiencies, but take longer to integrate and implement.

This is the third in a series of four blog posts where we will present risk and compliance speaker and thought leader, Michael Rasmussen's, GRC maturity model. For more insightful information on GRC and to exchange ideas with risk and finance colleagues, come see us in Orlando at Vision 2012.

Five Stages of GRC Maturity

Mature GRC is a seamless part of governance and operations. It requires the organization to take a top-down view of risk, led by the executives and the board, and made part of the fabric of business, not an unattached layer of oversight. It also involves bottom-up participation where business functions at all levels identify and monitor uncertainty and the impact of risk.

Corporate Integrity has developed the GRC Maturity Model to articulate an organization’s maturity in GRC processes.

1: Ad Hoc/Unaware — Department-Level Maturity
Businesses at this stage do not understand the interdependencies of GRC within specific business functions. Few if any resources are allocated to risk and compliance. The organization addresses risk and compliance in a reactive mode — doing assessments when forced to. There is no ownership or monitoring of risk and compliance, and certainly no integration of risk and compliance information and processes even at the department level.

Characteristics of this GRC stage are:

No assigned risk owners or accountability for risk, control or compliance.

Risk, compliance and controls are documented and maintained only as-needed.

Assessments are done reactively in response to mandates.

Risk and compliance information is managed in documents and spreadsheets with little to no GRC technology in place.

There is no trending or analytics to track the state of risk and compliance.

Organizations in the Ad Hoc/Unaware GRC stage answer many of the following questions affirmatively:

☐ Does risk and compliance lack clear owners and accountability within departments?

☐ Are assessments and controls put in place after-the-fact, when the organization realizes it is exposed or someone is insisting?

☐ Is risk and compliance largely undocumented, or trapped in silos of spreadsheets and documents?

☐ Does the organization lack any process, information and technology architecture to support risk and compliance?

☐ Does the department or business function have no ability to report and trend risk and compliance over time?

2: Fragmented — Department Level Maturity
In the Fragmented GRC stage, departments are focused on risk and compliance within respective functions — but information and processes are highly redundant within the department. The organization may have limited integrated processes for risk and compliance but largely does not benefit from the efficiencies of an integrated approach. The department is still very document-centric and lacks an integrated process, information and technology architecture for GRC at the department level.

Characteristics of the Fragmented GRC stage are:

Risk and compliance is tactical and siloed within the department.

There is accountability for risk and compliance.

Risk and compliance assessments are project-focused, not an ongoing effort of continuous monitoring.

There is some use of risk and compliance technology, but no integration or sharing of information and processes at the department level.

The organization struggles with risk and compliance information trapped in silos of databases, spreadsheets and documents.

Measurement and trending is limited, consumes resources and takes a lot of time because of the scattered nature of risk and compliance information.

Organizations in the Integrated GRC stage answer many of the following questions affirmatively:

☐ Are risk and compliance activities tactical and siloed?

☐ Does the organization lack an integrated risk and compliance approach at the department level?

☐ Is risk and compliance information scattered across various documents and technology sources?

☐ Is it difficult and time-consuming to track and trend risk and compliance information and reporting?

3: Integrated — Department Level Maturity
The Integrated stage represents a mature GRC program at the department level that has not expanded as a strategy across multiple departments. The department or business function has defined processes for GRC, an integrated information architecture supported by technology and ongoing reporting, accountability, and oversight for risk and compliance.

Characteristics of the Integrated GRC stage are:

There is defined processes and strategy for GRC at the department level.

Risk and control owners are defined and held accountable.

There are established processes and regular assessments for risk and compliance.

The department has a defined information architecture supported by GRC technology.

The department can readily trend, monitor and report on GRC at any time and across periods without significant inefficiencies.

Organizations in the Integrated GRC stage answer many of the following questions affirmatively:

☐ Does the organization have mature risk and compliance processes at a department level?

☐ Can the department readily report and trend on risk and compliance over time?

☐ Have departments removed reactive document-centric approaches?

☐ Is there clear accountability and responsibility for risk and compliance at a department level?

4: Aligned — Enterprise GRC Maturity
It is at the Aligned GRC stage that the organization has a cross-department strategy for managing risk and compliance. GRC is aligned across several departments to provide a consistent framework, processes, information and technology to streamline GRC processes. The organization is seeing gains in addressing risk and compliance through shared processes and information that achieves greater agility, efficiency and effectiveness in risk and compliance operations.

Characteristics of the Aligned GRC stage are:

There is a defined GRC strategy that crosses several or all GRC functions across the business.

Silos of GRC are effectively eliminated, though there may remain some holdouts.

Clear accountability and ownership of risk and control is established across the organization.

There is a common process, technology and information architecture supporting GRC across the business.

The business is able to trend and report on GRC across departments.

Organizations in the Aligned GRC stage answer many of the following questions affirmatively:

☐ Does the organization have a GRC strategy that goes across departments?

☐ Are a majority of risk and compliance functions participating in the GRC strategy?

☐ Does the organization have shared processes for GRC?

☐ Does the organization have a shared information and technology architecture for GRC?

☐ Can the organization report and trend on GRC across departments?

☐ Can the organization aggregate and understand risk across the business?

5: Optimized — Enterprise GRC Maturity
At the Optimized GRC stage, the organization has completely moved to an integrated approach to GRC across the business. This results in a shared-services approach in which core GRC processes that span GRC functions are shared centrally. Not only has the organization implemented a shared vision of GRC across all relevant functions, but manages GRC in the context of the business. There is integration and relationship between GRC and performance management. GRC is understood in terms of Principled Performance and is integrated with business performance, objectives and strategy.

Characteristics of the Optimized GRC stage are:

A cohesive GRC strategy is integrated throughout the business.

The GRC strategy is supported and understood by the board and executive management.

GRC expectations are part of annual strategic planning process.

GRC is understood, measured, and monitored in the context of business performance, strategy and objective management.

Regular measurement and monitoring of risk and compliance in the context of the business and performance is done.

Organizations in the Optimized GRC stage answer many of the following questions affirmatively:

☐ Is there a single GRC strategy for the entire organization that all departments participate in?

☐ Is GRC understood and monitored in the context of business performance?

☐ Is risk a key element in strategic planning?

☐ Can the organization monitor and trend GRC in the context of organization strategy, performance and objective management?

☐ Does the organization have mature processes, information and technology implementations to support GRC?

☐ Is there regular monitoring for improvement in GRC?

Come back next week to view the final post in this series: Getting to the Head of the Class: Advancing Your Organizations GRC Maturity

This is the second in a series of four blog posts where we present risk and compliance speaker and thought leader, Michael Rasmussen's, GRC maturity model. For more insightful information on GRC and to exchange ideas with risk and finance colleagues, come see us in Orlando at Vision 2012.

GRC Maturity — Measuring a New Paradigm for Risk and Compliance

Lacking an integrated view of GRC results in business processes, partners, employees and systems that behave like leaves
blowing in the wind. Modern business requires a new paradigm for tackling risk and compliance issues across the enterprise.
No longer can organizations afford to focus on single risk and compliance issues as unrelated projects; nor can they allow
software Band-Aids that are not integrated with the business to masquerade as GRC. A targeted strategy addressing GRC
through common processes, information and technology gets to the root of the problem.

With changing and diverse risks bearing down on the organization, there is a clear need to tackle the problem at its root
and develop a mature approach to GRC. Instead of treating each risk and compliance issue as an individual problem,
organizations need to define a common process, information and technology architecture to manage GRC across the range
of issues.

To address these issues, leading organizations have adopted a common framework, information architecture and shared
processes to effectively manage risk and compliance, enable risk-aware decision-making, increase efficiencies, and be agile
in response to the needs of a dynamic business environment.

The questions organizations must ask:

☐ Does the business have the information to make risk-based decisions about the future of the company, when they
don’t have a clear view of the risk landscape?

☐ Does the business know its risk exposure at the enterprise, business process and control levels, and how they
interrelate?

☐ How does the business know it is taking and managing risk effectively to achieve optimal operational performance
and hit strategic objectives?

☐ Can the business accurately gauge the impact of risk-taking on business strategy?

☐ Does the business get the information it needs so it can take timely action on risk exposure to avoid or mitigate negative events?

☐ Does the business monitor key risk indicators across systems, relationships and processes?

☐ Is the business optimally measuring and modeling risk?

☐ Is the business meeting its regulatory and other obligations?

A well-defined GRC environment will not only do risk assessment and modeling, but will also deliver definition,
communication and training on risk-taking and accountability. The organization must map the interrelationship of risks to
controls, policies, enterprise assets (e.g., business process, employees, relationships, physical assets and logical assets), and
incidents to business strategy, objectives and corporate performance.

Mature GRC delivers better business outcomes because of stronger integrated information, which will:

Deliver consistent and accurate information about the state of risk and compliance initiatives, to assess exposure.

Improve decision-making and business performance through increased insight and business intelligence.

Architect integrated GRC systems and processes

A properly defined GRC architecture is built upon common process, information and technology components that are
adaptive to a dynamic business environment and integrate with critical enterprise applications. No longer is risk and
compliance about an annual audit; it now involves continuous monitoring in an ever-changing environment. GRC has to be
sustainable as an ongoing and integrated part of business processes. A successful and mature GRC strategy has a symbiotic
influence on the variety of business stakeholder roles and their common requirements.

Organizations need to be intelligent about what processes and technologies they deploy. The goal is to make an effective
decision once, and comply with many regulations, manage a range of risks and maximize value from the convergence
of technology, people and process. A sustainable approach to GRC results in an organization looking to the future and
mitigating risk in the course of business, as opposed to putting out fires by reacting to risk and control issues as they arise.

Mature GRC enables the organization to understand performance in the context of risk and compliance. It achieves the
definition of GRC, which is “a capability that enables an organization to reliably achieve objectives [GOVERNANCE] while
addressing uncertainty [RISK MANAGEMENT] and acting with integrity [COMPLIANCE].” Effective and mature GRC delivers:

Holistic awareness of risk: There is defined risk taxonomy across the enterprise that structures and catalogs risk
in the context of business and assigns accountability. A consistent process identifies risk and keeps the taxonomy
current. Various risk frameworks are harmonized into an enterprise GRC framework.

Establishment of culture and policy: Policy must be communicated across the business to establish a risk and
compliance culture. Policies are kept current, and reviewed and audited on a regular basis. Risk appetite and
tolerance are established and reviewed in the context of the business, and are continuously mapped to business
performance and objectives.

Risk-intelligent decision-making: This means the business has what it needs to make risk-intelligent business
decisions. GRC strategy is integrated with business strategy — it is an integral part of business responsibilities. Risk
assessment is done in the context of business change and strategic planning, and structured to complement the
business lifecycle to help executives make effective decisions.

Accountability of GRC: Accountability and risk ownership are established features of GRC. Every risk, at the
enterprise and business-process level, has clearly established owners. Risk is communicated to stakeholders, and
the organization’s track record should illustrate successful risk tolerance and management.

Multidimensional GRC analysis and planning: The organization needs a range of GRC analytics, correlation and
scenario analysis. Various qualitative and quantitative risk analysis techniques are in place and the organization has
an understanding of historical loss to feed into analysis. Risk treatment plans — whether acceptance, avoidance,
mitigation or transfer — must be working and monitored for progress.

Visibility of risk as it relates to performance and strategy: The enterprise views and categorizes risk in the
context of corporate objectives, performance and strategy. KRIs are implemented and mapped to key performance
indicators (KPIs). Risk indicators are assigned established thresholds and trigger reporting that is relevant to the
business and effectively communicated. Risk information adheres to information quality, integrity, relevance and
timeliness.

This is the first in a series of four blog posts where we will present risk and compliance speaker and thought leader, Michael Rasmussen's, GRC maturity model. For more insightful information on GRC and to exchange ideas with risk and finance colleagues, come see us in Orlando at Vision 2012.

Success in today’s dynamic business environment requires organizations to
integrate, build and support business processes with an enterprise view of
governance, risk management and compliance (GRC). Without an integrated view
of risk and compliance, the scattered and nonintegrated approaches of the past fail
and expose the business to unanticipated risk.

In a mature GRC program, the organization has an integrated process, information
and technology architecture that provides visibility across risk and compliance
domains. It offers an integrated approach for business managers and executives to
leverage GRC data for risk-aware decision-making and resource allocation.

Inevitable Failure: Managing GRC in Silos

The multifaceted risk environment

Risk to the business is like the hydra in mythology — organizations combat risk,
only to find more risk springing up to threaten them. Executives are constantly
reacting to risk appearing around them and fail to actively manage and understand
the interrelationship of risk across the enterprise.

The dynamic and global nature of business is particularly challenging to risk management. As organizations expand
operations and business relationships (e.g., vendors, supply chain, outsourcers, service providers, consultants and staffing)
their risk profile grows exponentially. Organizations need to stay on top of their game by monitoring risk to their business
internally (e.g., strategy, processes and internal controls) and externally (e.g., competitive, economic, political, legal and
geographic environments) to stay competitive in today’s market. What may seem an insignificant risk in one area can have
profound impact on others.

Organizations are increasingly aware of the critical need to link risk management and corporate performance management.
To manage corporate performance, the organizations must understand risk and make risk-informed business decisions.

In the area of regulatory risk, organizations face an expanding regulatory environment with rapidly increasing requirements
that burden the business. Organizations face expanding regulations, increased fines and sanctions, and aggressive regulators
and prosecutors around the world. Reputation and brand protection is also a significant compliance and risk management
issue in a global environment.

Isolated risk and compliance initiatives introduce greater risk

Managing GRC activities in disconnected silos leads the organization to inevitable failure. Reactive, document-centric and
manual processes for GRC fail to actively manage risk in the context of business strategy and performance, and leave the
organization blind to intricate relationships of risk across the business. Siloed GRC initiatives never see the big picture and
fail to put GRC in the context of business strategy, objectives and performance, resulting in complexity, redundancy and
failure. The organization is not thinking about how GRC processes and controls can be designed to meet a range of risk and
compliance needs. An ad hoc approach to GRC results in poor visibility across the organization and its control environment,
because there is no framework or architecture for managing risk and compliance as an integrated part of business. When
the organization approaches risk in scattered silos that do not collaborate with each other, there is no possibility to be
intelligent about risk and understand its impact on the organization.

A nonintegrated approach to GRC impacts business performance and how it is managed and executed, resulting in:

Redundant and inefficient processes: Organizations often take a Band-Aid approach and manage risk in
disconnected silos instead of thinking of the big picture, and how resources can be leveraged and integrated for
greater effectiveness, efficiency and agility. The organization ends up with varying processes, systems, controls
and technologies to meet individual risk and compliance requirements. This means multiple initiatives to build
independent GRC systems — projects that take time and resources and result in inefficiencies.

Poor visibility across the enterprise: A reactive approach to GRC with siloed initiatives results in an organization
that never sees the big picture. The organization ends up with islands of oversight that are individually assessed and
monitored. The line of business is burdened by multiple and differing risk and compliance assessments asking the
same questions in different formats. The result is poor visibility across the organization and its GRC environment.

Overwhelming complexity: Varying risk and compliance frameworks, manual processes, over-reliance on
spreadsheets, and point solutions that lack an enterprise view introduce complexity, uncertainty and confusion to
the business. Complexity increases inherent risk and results in processes that are not streamlined and managed
consistently — introducing more points of failure, gaps and unacceptable risk. Inconsistent GRC not only confuses
the organization but also regulators, stakeholders and business partners.

Lack of business agility: It handicaps the business to run a reactive GRC strategy, managed in siloed and manual
processes with hundreds or thousands of disconnected documents and spreadsheets. The organization cannot
be agile in a demanding, dynamic and distributed business environment. This exacerbated by documents, point
technologies and siloed processes that are not at the enterprise level and lack analytical capabilities. People
become bewildered in a maze of varying approaches, processes and disconnected data organized without any
sense of consistency or logic.

Greater exposure and vulnerability: No one looks at GRC holistically across the enterprise. The focus is on
what is immediately before each department and not the complex relationship and dependencies of risk across
the organization. This is exacerbated by many so-called GRC solutions that focus on assessment and replacing
spreadsheets, but do not deliver analytics or align with business applications. This creates gaps that cripple GRC,
and a business that is ill-equipped for aligning GRC to the business.

The pain organizations have expressed

Siloed GRC processes, though effective in their own silos, are ineffective at an aggregate level, as the organization does not
have a complete view of GRC in the context of the business. Corporate Integrity finds organizations that lack a collaborative,
integrated and enterprise approach to GRC have:

Inability to gain a clear view of risks and their dependencies.

High costs to consolidate disparate data silos and documents.

Difficulty maintaining accurate data.

Failure to report and trend GRC across assessment/reporting periods.

Unreliable or irreconcilable risk assessment results, because of different formats and approaches.

Redundancy in risk management and compliance efforts.

Failure to provide intelligence to support decision-making that crosses risk and compliance areas.

Inconsistency in approaches to risk and compliance activities.

Different vocabulary and processes that limit correlation, comparison and integration of information.

Lack of agility to respond in a timely way to changing environments and situations.

The SEC’s final rules implementing Dodd-Frank’s whistle blowing provisions failed to remove angst among compliance officers and general counsels. While there are some incentives for potential whistleblowers to first report alleged misconduct via internal reporting channels, there’s no requirement to do so – and many are concerned the internal channels will be bypassed. And going outside is on the rise. It’s been reported that in only seven weeks after the SEC’s program began, there were 334 whistleblower filings. Compliance officer concerns are well founded – that bypassing internal channels will deprive the company of being able to investigate and fix problems before they grow, and company personnel will need to play catch up with investigations in reaction to SEC probes.

We can point to many resolved whistle blowing cases for clear evidence of the potential impact of the SEC’s still relatively new program. One homeowner delinquent on her mortgage ultimately received $18 million for reporting suspected use of fraudulent documents in the bank’s foreclosure process. It’s said that in acting against this homeowner – an attorney and career insurance fraud investigator – the bank “picked the wrong person at the wrong time in the wrong place,“ but the robo-signing and other compliance failures were widespread and surfaced from a number of sources. Nonetheless, this individual was one of six whistleblowers receiving $46.5 million said to be part of the five-bank $25 billion settlement. In an unrelated case, a member of a major bank’s quality control team who reportedly was displeased that the misconduct wasn’t reported to regulators, decided to do so herself – ending up with a settlement of $31 million. And there are many more.

Worth noting is a recent survey that indicates more than one-third of American workers have seen misconduct on the job. While many instances of misconduct have been reported through internal channels, it appears the vast majority have not. Why? The survey shows it’s because of fear of not being able to remain anonymous, and of retaliation. Those two factors, plus the possibility of monetary reward, are reported as key factors in incentivizing internal reporting. And the survey also shows two-thirds of respondents didn’t know about the SEC’s program – at least not yet.

Certainly it’s in a company’s interest to be first to know about alleged misconduct, and compliance officers are working hard to upgrade policies, training, communications, and the internal whistleblower systems, all to encourage internal reporting. Actions to ensure anonymity, with positive responses and nothing close to retaliation, are expected to help. Some companies have begun to pay bounties for valued reports. There are indications that when employees believe their reports will be taken seriously without adverse repercussions, there’s increased likelihood for internal reporting. Law firms and others have provided guidance on which companies are acting. However, it remains to be seen the extent to which the possibility of a huge, life-changing payday by the SEC will be too much to resist. Time will tell.

Regular readers of this blog undoubtedly are familiar with the FCPA and related Justice Department and SEC enforcement activities. On a personal note, I remember well when the FCPA was enacted, as I took on responsibility in my firm for providing our clients with analysis, guidance, and support materials to help deal with the new law. Emphasis was put as much on the Act’s internal control provisions, which require (with somewhat different terminology) effective systems of internal control over financial reporting – this of course, long before SOX. Companies did look at their internal control systems for opportunities for strengthening, but without required management reporting or auditor involvement, we did not see the kind of focus that came in more recent years under SOX. Significant attention was given to the bribery provisions, though with little regulatory enforcement activity for many years, attention subsequently waned.

But life under the FCPA now is very different. It’s reported that in the last four years 58 companies paid almost $4 billion in settlements – including Siemens (whose securities are traded in the U.S.) paying $800 million each to the German and U.S. regulators – and 42 individuals have been convicted. Early this year, for example, an oil company executive was sentenced to a two and one-half prison term. “I am truly sorry,” he said, “I lost touch.” At the moment some 78 companies are reportedly under investigation, including the likes of Alcoa, Avon, Goldman Sachs, HP, Pfizer, and Wal-Mart – it remains to be seen whether they will be formally charged. And we know that Rupert Murdoch’s News Corporation, among others, is in regulators’ sights.

There has been pushback by business, saying regulators have been overzealous and thereby stifling legitimate business initiatives – especially so with their going after not only companies but individual executives as well. The United States Chamber of Commerce is looking to have the law amended, with a Chamber official recently noting “The last time I checked, we were not living in a police state.” But enforcement officials don’t seem to be perturbed, with the assistant Attorney General making clear that the Department is expanding its staff and enforcement actions are on the rise. With that said, discussions between the groups have begun, and desired guidance may be forthcoming.

What to do? Clearly there’s no silver bullet. Close attention needs to be paid to ensuring strong compliance programs – which, importantly, the DOJ has said it will look to in a positive way when considering enforcement actions. Yes, further clarity has been requested from the Department in that regard, and we know about concerns with Dodd-Frank’s whistleblower provisions, but that shouldn’t stop compliance officers and senior managements from continuing efforts to strengthen internal programs. Many law and other firms have provided guidance on identifying high-risk areas and steps to be taken, which certainly are worth serious consideration. Among important areas of focus are risk assessment, policy management, clear authorities and fixed responsibility among line managers, real time communication, close monitoring by line management as well as compliance and internal audit personnel, and immediate and decisive action when red flags appear. It’s not easy, but with the Act in place and regulators expanding scope, close attention is critical.

IBM Watson goes
to work in financial services as a risk expert. One of the largest Financial
Services institutes and IBM now partner to enhance and simplify the consumer
banking experience with faster, more accurate decisions, better risk
assessment, and more targeted customer offers.

IBM Watson is
transforming expectations for how technology can help individuals live and work
in better ways. Its ability to make sense of vast quantities of unstructured
information, communicate in natural human language, learn from experience, and
offer confidence weighted responses is already a game changer in healthcare. Focusing
these capabilities on financial services brings new possibilities for higher
service levels to an expanded set of users.

For those who do
not know IBM Watson, Watson is an artificial intelligence computer system
capable of answering questions posed in natural language, developed in IBM's
DeepQA project. As a test of its abilities, Watson competed on the quiz show
Jeopardy!, in the show's only human-versus-machine match-up to date. In a
two-game, combined-point match, broadcast in three Jeopardy! episodes February
14–16, Watson beat Brad Rutter, the biggest all-time money winner on Jeopardy!,
and Ken Jennings, the record holder for the longest championship streak (74
wins).

Now what will
that bring to our Financial Service clients? Potentially as an assistant to
client service professionals to help deliver evidence-based recommendations
across multiple areas of the bank, including: credit card; private banking;
wealth management; and call centers. Since IBM Watson can think faster than any
human being it is able to make cross checks, prevent fraud, determine risk,
etc. It is able to analyze data such as client information, online news
reports, blogs, Twitter feeds, analyst reports, regulations, credit ratings,
and government securities filings which can help to suggest options targeted to
a consumers' individual circumstances.

If you’re in or work with the financial services industry, you probably know about the late December holiday "gift" from the U.S. Federal Reserve – proposed rules implementing provisions of the Dodd-Frank Act which could have a profound effect on how boards and managements deal with risk. In any event, you’ll want to keep in mind that the Fed is accepting comments only for the next month – until March 31.

The proposed rules are far-reaching, including requirements for risk-based capital and leverage, liquidity, stress tests, single-counter-party credit limits, debt-to-equity limits, and early remediation. They apply generally to bank holding companies with consolidated assets of $50 billion or more, as well as non-bank firms designated as systemically important. But some of the rules – those for stress testing, and requiring board level risk committees and related risk management activities – also apply to smaller public firms with consolidated assets of $10 billion. Obviously, reading the fine print is important for all who may be subject to these proposals.

The risk committee is required to "document and oversee, on an enterprise-wide basis, the risk-management practices of the company's worldwide operations." The committee would be chaired by an independent director, and at least one member needs to have risk-management expertise commensurate with the company's size, complexity, and other risk-related factors. Further, its members are expected to understand risk-management principles and practices relevant to the company, with specified experience in risk management. And there are rules for a committee charter, meetings, and documentation.

The committee’s responsibilities include reviewing and approving an appropriate risk-management framework commensurate with the company's size and other factors. The framework’s scope is outlined, including requirements for risk limits appropriate to each line of business, policies and procedures for risk-management practices, processes for identifying and reporting risks, monitoring compliance with risk limits and procedures, and specification of management's authority and independence to carry out risk-management responsibilities. Additionally, the larger covered companies will need to appoint a chief risk officer in charge of implementing and maintaining the risk-management framework and practices approved by the risk committee, with the rules specifying responsibilities and qualifications for the CRO and reporting relationships.

If not already under way, now is the time to analyze the proposal and its implication, and let the Fed know what changes are needed. If interested, you might want to tune into the upcoming IBM OpenPages webinar where I’ll be discussing the proposed rules, their implications and the challenges they present – March 8, 2:00 pm Eastern Time.

Last
week I came across project risk, and not for the first time! So, time to spend
some words on this topic.

Especially
organizations in Energy&Utilities and Manufacturing have huge risks in
their assets and in their projects. You think you have all risks identified
through the standard risk identification process and you just missed that
elephant?! This might impact your yearly financial result or worse!

This
is why more and more clients start to look at Project Risk methodologies. My
client happened to use the PMBOK methodology. In this methodology you consider
standard project phases including standard risks and controls. This is great,
since you have most of the standard risks covered. But what about that risk
that is just not standard? This is where gate reviews will help you. These gate
reviews are held after every project phase. Each gate review contains questions
used to identify risks, holds monitoring methodologies to check status and
behavior and contains audit like activities. Key element here is that all
findings roll up to top level so no significant risk can be missed.

This
all works for what we call manageable risks, but what about risks that you
cannot manage? How will you anticipate on this? Well these risks can be covered
by sensitivity analysis, simulations and business continuity management.
Especially sensitivity analysis and business continuity analysis will help you.
For simulations you will need data, and a significant amount of data. Only in
case you have many similar projects running in a regular cycle you will be able
to generate enough risk identifications and losses to be able to make a sensible
calculation like Monte Carlo simulations.

Now
the system is in place, and now we are in control? Wrong! This is where the
real work starts. How do I get my organization to adopt risk in her daily
business? How do I get input with the right quality? How do I make everyone a
risk manager? This takes time and effort. Guide your people in how to make the
assessments and make them part of it. Give them back where they contributed to,
and make their life easier. That is what we call Smarter Risk.

IBM
OpenPages and Deloitte have put together a Risk Methodology for project risk
where all these technologic and organizational aspects come together and can be
integrated in your enterprise risk platform.

A recent Congressional hearing on MF Global has shed more light on how well the company did, or didn’t, handle its risk management responsibilities. A couple of weeks ago the House Financial Service Committee’s oversight panel heard testimony from the firm’s chief risk officers. As CRO, Michael Roseman in 2010 raised concerns about the firm’s European Sovereign debt positions, reportedly clashing with top executives but in any event seeing to it that the board of directors was informed of what was going on. (For more on this, you can look back to my December 15 posting.) Then in early 2011 MF Global hired a new chief risk officer, Michael Stockman, who like CEO Jon Corzine was a former Goldman guy. One Congressman reportedly said it appeared “Stockman was hired to tell Mr. Corzine what he wanted to hear,” and another called him a “yes man.” Whether that’s fair or not is debatable, though one wonders why the change of CROs was made in the first place. In defense, Stockman said that for the first several months of his tenure he believed the firm’s “risk profile associated with the company’s European sovereign debt position was acceptable in light of then-prevailing market conditions,” but “as credit markets deteriorated in the summer of 2011, I came to the view that it would be prudent for the company to mitigate the increased risks.” Whether his initial assessment was justified and whether he pushed hard and timely enough with management and the board certainly is questionable.

Fascinating here is what was said by the Congressmen doing the questioning, reportedly saying to Stockman that it was up to the chief risk officer to “rein in their bosses risk taking.” If that indeed was said, then it shows a sad lack of understanding of what a chief risk officer’s role truly is. In highly summarized form, if the role is structured well, the CRO is responsible for establishing a process within the organization where managers timely identify, analyze, and manage risk, with communications systems in place to ensure appropriate upstream reporting. The reporting element is critical, not only within the organizational infrastructure but also going to the very top. The CRO needs to be sure top management and ultimately the board of directors are fully apprised of significant risks. And if management refuses to inform the board, then the CRO has to do it him/herself. CRO Roseman seems to have made sure the board was apprised.

A CRO’s job is not easy, especially when a company takes on what can only be deemed unusually high risk positions. The CRO needs to be sure the risks are identified, analyzed and reported, which seems to be the case here. The board was apprised of the risks when Roseman was CRO, and we’re told the directors considered the risks and acquiesced. A board of course should probe deeply enough to truly understand the risks and surrounding circumstances. If those actions occurred, and the CRO was convinced the board had sufficient understanding and insight, then he has done his job – which does not, as the Congressmen asserted, include the CRO himself reining in the risks.

No doubt more insights will emerge and the picture of what happened will become clearer. Investigators might even find out what happened to the more than $1 billion (one estimate is as high as $1.6 billion) of “missing” customer money, and whether internal controls were faulty or overridden as the firm was about to go under. In any event, it’s important that the different roles of a CEO, CRO and board be fully understood. The CRO does not and cannot be responsible for the ultimate actions of a CEO and board of directors. The CRO’s role includes seeing that top management and the board understand the risks and make well-informed judgments. And yes, those judgments may ultimately prove to be bad, or even fatal as was the case with MF Global.

A client of mine recently asked me about what I have seen as the most effective way to run a selection process. Now I know this may seems a conflict of interest, a GRC solution vendor writing on the GRC software selection process and the need for a GRC platform. Still I think I can give you some dos and donts on a GRC software selection process since I have been there many times.

Let’s start with the need for a GRC software platform. Why do you need such?

Of course investing in a solution needs a compelling event. Either the cost for risk management and compliance becomes very high, or the process takes too long to be responsive to stakeholders or the 'in control' statement cannot be guaranteed any longer. Also external regulators can advise you to implement software.

Before you start thinking about a GRC platform carefully review the risk and compliance maturity level of your organization and the scope of the problem. This will help you make the judgment between 2 approaches. First approach is what we call 'point solution', second approach is 'enterprise solution'.

The first approach, Point Solution, is best when the compelling event is there but the scope is limited to one area. On a single point of your GRC activities you have a pain that must be resolved in a fairly short term. In this case you can search for specific capabilities with specific knowledge. You can make a selection of vendors that operate in the area where you have the pain and select the partner that understands your area. Of course you might want to consider your ambition on the long term. If your long term ambition is Enterprise wide GRC integration you might still look at enterprise vendors and use the specific area as a 'pilot' for further extension.

The second approach, Enterprise Solution, is best when the compelling event is on the integration of Governance, Risk and Compliance. The term risk and control convergence often comes up here. This approach requires a lot more work than the point solution and may have cultural impact. You might consider a second party to help you go through this project. A second party (consulting firm) can help you in making critical decisions and in reviewing your current (silo based) approach to GRC. They can keep the holistic view for you. Every silo needs to be reviewed and mapped to the enterprise approach. This will not come without discussions and sacrifices!

So the need is there, now how to make your selection?

In the first point solution approach there are just two considerations, short term or long term? In case of the short term do NOT select an enterprise vendor and go for the right point solution. Advantages are lower cost and shorter implementation time. Second consideration, long term, means a selection between enterprise GRC software vendors and consider the first phase as a pilot for the enterprise approach. Still you might want to involve a consulting firm with specific knowledge.

In the second enterprise approach you will go for an enterprise vendor. This is where you want to be careful in setting up your selection. I personally have seen many of these selection processes since I have been in such selections. And this is where I want to give you some guidance to save you a lot of time and money.

First do NOT expect the enterprise vendors to differentiate on functionality. The GRC software market has made an evolution in the last 10 years that have resulted in a fairly high mature software market. So a 'beauty contest' is a waste of money and resources. Outcome will be equal for all vendors and you will be stuck between your user community and the vendors in the process. You might get questions from your management team why you spend so much time and resources without any outcome.

Secondly involve your end users in the selection process early, but do not expect 20 people working in silos to come to one single conclusion. Again you will end up in a long discussion with no outcome. Have a small group of people (3 preferably) to make the selection.

Thirdly make your selection criteria known upfront and make them measurable. Also involve the vendors in the process and be open to them. If you are open and honest you will get transparent, open and honest answers. If you hide, vendors will hide! Criteria should be based on experience in your market, understanding of your organization, size and financial stability, ability to deliver in time and within budget, alignment of implementation approach to your implementation methodology and the cultural fit.

Again this may look preaching to the choir but I hope I just saved you time and money that you can invest in your implementation.

In case you were too busy watching your kids open their holiday presents you might have missed a “gift” for you – COSO’s updated internal control framework. During the holiday season the draft was exposed for public comment, so if you haven’t already done so, you might want to get your hands on it and tell COSO what you think, and how it might be further improved.

In looking over the draft you’ll see that the fundamental concepts and structure remain. The definition of internal control, the five components, and the COSO cube are unchanged. So are the three categories of objectives, except that the reporting category is expanded to include all reporting by an entity: financial and non-financial, internal and external. This brings the internal control framework in line with how the reporting category of objectives is defined in COSO’s Enterprise Risk Management—Integrated Framework issued in 2004. Another enhancement in the updated framework is inclusion of what are called “principles” and “attributes” of internal control. The initial framework implicitly reflected the core principles of internal control, whereas the updated version explicitly states the 17 principles, representing the fundamental concepts associated with the components of internal control. Supporting the principles are attributes, representing characteristics associated with the principles. Together the principles and attributes comprise criteria put forth to assist management in designing and developing systems of internal control and assessing its effectiveness.

Other enhancements include:

Emphasis on the increased relevance of technology, focusing on sophisticated, decentralized, and mobile applications involving multiple real-time activities that can cut across many systems, orga­nizations, processes, and technologies.

Expanded discussion on governance relating to the board of directors and committees, including audit, compensation, and nominating/gover­nance.

Enhanced focus on anti-fraud expectations, with expanded discussion on fraud and the relationship of fraud and internal control.

Reflection of the evolution of different business models and organizational structures, including use of external parties for providing products or services, the increasing competitive landscape, globalization, dynamic industry and technological changes, evolving business models, com­petition for talent, cost management, and other factors that have required man­agement to look beyond internal operations to access needed resources via a shared service model, outsourcing to an external party, spinoff, joint venture, or other approach.

You’ll see the term “ICEFR” (pronounced ice-eh-fer), which is the acronym for internal control over external financial reporting. Because of the importance of the internal control framework for reporting under such requirements as Sarbanes-Oxley, COSO decided to offer a separate guidance document highlighting how the framework can be effectively applied for that purpose. It’s organized around the five internal control components, containing approaches for and examples of their application, with direct linkage to the principles and attributes in the framework. It’s important to keep in mind that the ICEFR guidance is just that, guidance; it will neither replace nor modify the framework. It will be exposed for comment later on this spring.

Well, it’s a case of speak now, or…. If you’re involved in any way with internal control, you’ll want to provide your input on the document. By the way, I’m biased in a positive way – for full disclosure, I was the lead PwC project partner of the team that developed the original Framework, played a similar role with the COSO ERM framework, and advised the project team that developed this updated framework. But you may have different views, and it’s important to make them known. The comment period ends March 31.

We know the Olympus Corp. suffered a major management fraud. Financial statements were manipulated to hide huge losses, resulting in its stock price dropping like a rock and jeopardizing the company’s listing status and indeed existence in its current form. For more on the fraud, you may want to look at my October 15, 2011 blog posting.

Those looking at this fiasco may well be asking why this fraud, which had been going on for more than a decade, wasn’t brought to light any sooner – that is, before newly appointed CEO Michael Woodford began to smell a rat. Well, now it’s come out that one critical element in detecting and possibly preventing fraud at the highest management levels – which is having an effective whisleblowing process – wasn’t in place at Olympus. Sure, they had a process, but now it’s reported that the very executives perpetrating the fraud were in charge of the hotline! It’s said that the company’s internal auditors and other employees wanted the whistleblower system to be run by outside parties, but at least one of the executives alleged to have been driving the fraud objected and won out. According to an independent panel investigating the fraud, the corporate atmosphere was such that the hotline was “significantly disabled.” Is it essential to have the hotline outsourced? No. But it is critical that company personnel feel comfortable that their communications will not come back to haunt them, which is said not to be the case at Olympus.

Much has been written about management fraud, and what internal controls are needed to prevent or detect it. But my experience is that it really comes down to four key factors. One is having a culture of integrity and ethical values, with the “right” tone at the top of the organization and open communication channels. Another is a board of directors (and audit committee) that is independent and providing effective oversight. One more is an effective internal audit function. And then there’s an effective whistleblower process. Based on what’s been reported, Olympus evidently didn’t have any of these big four – we don’t know much about the functioning of its internal audit function, but now learn that the company is suing the former internal auditor along with two other executives who an independent panel said “orchestrated the scheme.” So is it surprising that such a fraud could have existed for so long? In light of its governance, risk management and internal control processes, the answer is “not really.”

When we look at the potential of management fraud, it’s critical to look at these four elements. If even one is missing, the chance of fraud going undetected increases greatly. And no one should proceed with the odds stacked in favor of bad actors.

Tags

A tag is a keyword you assign to make a blog or blog content easier to find. Click a tag to find content that has been assigned that keyword. Click another tag to refine the search further. Click Find a tag to search for a tag that is not displayed in the collection.